X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/45dde9418dd342bb1a632d82559201c0b3becf1a..22bfa5e6f8152e492f21ae2c972a164474cfdd61:/cookbooks/exim/recipes/default.rb?ds=sidebyside diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb index 7c80f9a0d..a9f6472e6 100644 --- a/cookbooks/exim/recipes/default.rb +++ b/cookbooks/exim/recipes/default.rb @@ -17,6 +17,7 @@ # limitations under the License. # +include_recipe "munin" include_recipe "networking" package %w[ @@ -25,7 +26,9 @@ package %w[ ssl-cert ] -package "exim4-daemon-heavy" if File.exist?("/var/run/clamav/clamd.ctl") +package "exim4-daemon-heavy" do + only_if { ::File.exist?("/var/run/clamav/clamd.ctl") } +end group "ssl-cert" do action :modify @@ -76,6 +79,36 @@ if node[:exim][:smarthost_name] search(:node, "exim_smarthost_via:#{node[:exim][:smarthost_name]}\\:*").each do |host| relay_from_hosts |= host.ipaddresses(:role => :external) end + + domains = node[:exim][:certificate_names].select { |c| c =~ /^a\.mx\./ }.collect { |c| c.sub(/^a\.mx./, "") } + primary_domain = domains.first + + directory "/srv/mta-sts.#{primary_domain}" do + owner "root" + group "root" + mode 0o755 + end + + domains.each do |domain| + template "/srv/mta-sts.#{primary_domain}/#{domain}.txt" do + source "mta-sts.erb" + owner "root" + group "root" + mode 0o644 + variables :domain => domain + end + end + + ssl_certificate "mta-sts.#{primary_domain}" do + domains domains.collect { |d| "mta-sts.#{d}" } + notifies :reload, "service[apache2]" + end + + apache_site "mta-sts.#{primary_domain}" do + template "apache-mta-sts.erb" + directory "/srv/mta-sts.#{primary_domain}" + variables :domains => domains + end end file "/etc/exim4/blocked-senders" do @@ -84,6 +117,39 @@ file "/etc/exim4/blocked-senders" do mode 0o644 end +if node[:exim][:dkim_selectors] + keys = data_bag_item("exim", "dkim") + + template "/etc/exim4/dkim-domains" do + owner "root" + source "dkim-domains.erb" + group "Debian-exim" + mode 0o644 + end + + template "/etc/exim4/dkim-selectors" do + owner "root" + source "dkim-selectors.erb" + group "Debian-exim" + mode 0o644 + end + + directory "/etc/exim4/dkim-keys" do + owner "root" + group "Debian-exim" + mode 0o755 + end + + node[:exim][:dkim_selectors].each do |domain, _selector| + file "/etc/exim4/dkim-keys/#{domain}" do + content keys[domain].join("\n") + owner "root" + group "Debian-exim" + mode 0o640 + end + end +end + template "/etc/exim4/exim4.conf" do source "exim4.conf.erb" owner "root" @@ -156,7 +222,7 @@ else end end -if node[:exim][:smarthost_via] # ~FC023 +if node[:exim][:smarthost_via] firewall_rule "deny-outbound-smtp" do action :reject source "fw"